malloc/free: tcache security patch

Ondřej Bílka
Fri Apr 20 21:36:00 GMT 2018

On Fri, Apr 20, 2018 at 09:44:10PM +0900, æ¸
水祐太郎 wrote:
> Hello
> I'm Yutaro Shimizu (ShiftCrops).
> I want to patch malloc.c.
> The mechanism of tcache is very similar to fastbins.
> However, I can malloc from arbitrary addresses by tampering the tcache_entry.
> That's because there is no chunk verification process.
> I think it is an important security issue.
This was discussed recently, search archives.

In short malloc check don't protect you and can't protect you. This
patch only makes malloc slower for false sense of security.

Attacker could use buffer overflow in lot of ways before its freed. Also
attacker could with some effort examine check and fake data structure to
make check pass.

These are mainly used as tool to debug malloc implementation. That they
sometimes serve as poor's man valgrind is secondary. You should use
valgrind to find and fix buffer overflows in first place.

More information about the Libc-help mailing list